The rootkit ended up discovered by a user of the security mailing list Full Disclosure. The user posted his observations, including the suspicious kernel module, to the mailing list.

Anyone who visits a web page on the server undergoes an attack by a specially crafted web page which loads in an iframe.

Criminals typically use exploit kits such as BlackHole to examine the system of the victim to establish which one of a number of vulnerabilities in Flash, Java and other applications it can exploit. Once it finds an exploitable hole, it then installs malware on the visitor’s system. The web server ultimately ends up used to redirect users to another web server which can then infect their system, such as poorly maintained Windows systems, with malware.

Anti-virus software company Kaspersky Lab analyzed the malware. The rootkit, which it has dubbed Rootkit.Linux.Snakso.a, targets 64-bit systems and compiled for kernel version 2.6.32-5, used in Debian Squeeze, Kaspersky said. The rootkit adds the line insmod /lib/modules/2.6.32 5-amd64/kernel/sound/module_init.ko to the /etc/rc.local script, ensuring the malicious module executes each time the system boots.

After booting, it determines the memory address of a number of kernel functions, which it then hooks into. This allows it to hide itself from the user and to manipulate the server’s network traffic. The rootkit obtains deployment instructions from a command and control server. The rootkit may still be under development, as it compiles with debug information in situ, according to Kaspersky.